>> I don't know if anybody pointed it out before... yes i did, see http://msgs.securepoint.com/cgi-bin/get/bugtraq0302/12.html
----- Original Message ----- From: "Adam [ckkl]" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, March 23, 2003 3:10 AM Subject: IE - reading local files > Hello, > > I don't know if anybody pointed it out before... > > While playing with IE [6.0] I found out that > it is possible to read local files with a little > help of user... > > How it works? > 1. IE lets you define style for the INPUT type=file tag > including clipping region what makes possible to > hide the "Browse..." button. > > 2. IE lets you handle 3 events > - ondragstart > - ondrag > - ondragend > for misc tags like DIV, INPUT, IMG and others > > 3. IE lets you change the content of the INPUT after > the user started to drag it > > Screenplay: > - user selects text in source INPUT > - user starts to drag text > - ondragstart event is fired > - the function takes control > and changes the content > of the source INPUT > - user drops the text in > the uploading INPUT control > - ondragend event is fired > - function takes control and > submits the form at once > > Exploit: > - create the INPUT uploading control (type=file) > - change its style to make it look innocent > [remove border, clip the 'Browse...'button] > - create the source INPUT control and make it > look like an innocent text [no borders, no focus] > - write a simple handler for drag* events > - it will change the content of the source INPUT > control to anything we want, f.ex.local filename > - seduce user (f.ex. some kind of drag&drop > JavaScript game) to select text and drag it > into uploading control area and when > it's done (ondragend), submit the form and this > way send the file to the server > > Proof of concept: > http://www.sztolnia.pl/hack/dragquIEn/dragquIEn.html > > Best Regards > Adam Blaszczyk > reverser, coder, writer & researcher [VX/AV] > http://www.symantec.com (Localization Engineer) > http://www.mykakee.com (Home page) > Whatever I say in this e-mail is my private opinion. >
